ARTICLE
1 July 2026

Extending The Regulatory Perimeter Beyond Outsourcing: MAS' Proposed Third-party Risk Management Guidelines And Lessons From Australia's CPS 230

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Financial regulators around the globe continue to sharpen their focus on operational resilience, driven by the growing digitalisation of financial services, increasing reliance on third-party service providers, and heightened technology and cyber risks.
Worldwide Finance and Banking
Herbert Smith Freehills Kramer LLP are most popular:
  • within Wealth Management, Employment and HR and Technology topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • with readers working within the Law Firm industries

Financial regulators around the globe continue to sharpen their focus on operational resilience, driven by the growing digitalisation of financial services, increasing reliance on third-party service providers, and heightened technology and cyber risks. A common theme across jurisdictions is the extension of regulatory expectations beyond traditional outsourcing to encompass all material third-party arrangements. For organisations operating across multiple APAC jurisdictions, understanding the commonalities and differences between these regimes is critical to developing an efficient, coordinated compliance approach — and to anticipating the commercial and contractual implications that flow from them.

The Monetary Authority of Singapore (MAS) is set to overhaul its regulatory framework for third-party risk management, having consulted the public on proposed new guidelines from 6 March to 20 April 2026.  The proposed guidelines incorporate key elements of international standards and, most importantly, extend MAS' expectations beyond outsourcing to cover all third-party arrangements. A six-month transition period has been proposed for the implementation of the guidelines. 

In Australia, the Australian Prudential Regulation Authority (APRA) has already implemented a comparable regime through Prudential Standard CPS 230 Operational Risk Management, which commenced on 1 July 2025 (with a transitional period for pre-existing contractual arrangements). CPS 230 similarly extends regulatory expectations beyond outsourcing to all material service provider arrangements and imposes prescriptive contractual requirements on APRA-regulated entities. The Australian experience in operationalising CPS 230 offers useful insights for financial institutions (FIs) in Singapore as they prepare for the proposed MAS guidelines.

In contrast, the requirements applicable to FIs' third-party risk management in Indonesia are not consolidated in a single guideline or regulation. Indonesia's Financial Services Authority (Otoritas Jasa Keuangan, or OJK) regulates this area through a modular framework of separate regulations which continue to be updated, including those governing risk management, outsourcing, and the use of information technology by banks and certain other FIs. It is also worth noting that general outsourcing regulations issued by the Manpower Ministry apply, and that Bank Indonesia (the central bank) has separate regulations governing these matters for payment service providers. 

This briefing

In this briefing, we set out recommended next steps and a snapshot of the MAS, APRA and OJK frameworks.  

For those who wish to read more, we have also included a more detailed overview of the proposed MAS guidelines as well as areas to note based on our experience in advising clients on APRA’s CPS 230.  

Please feel free to reach out to any of our key contacts below or your regular contact at our firm to discuss any aspect of these developments.

Next steps: What should you be doing now?

With the MAS consultation having closed on 20 April 2026 and final guidelines expected in the coming months, FIs operating in Singapore should be taking steps now to prepare for the transition period. Drawing on lessons from the Australian experience with CPS 230, FIs should consider:

  • Mapping your third-party landscape – Conduct a comprehensive inventory of all third-party arrangements (not just traditional outsourcing) and assess which are likely to be classified as material. This will also inform your register submission obligations.
  • Engaging early with counterparties – Engage with counterparties now about potential materiality classifications and the contractual amendments that may be required. The Australian experience demonstrates that these negotiations can be protracted, particularly with global service providers.
  • Reviewing existing contracts – Identify gaps between current contractual terms and the minimum content expectations in the proposed guidelines.
  • Updating governance frameworks – Ensure board oversight arrangements, risk management frameworks and third-party risk management policies are aligned with the proposed guidelines, including clear escalation processes for adverse developments.
  • Coordinating across jurisdictions – For organisations operating in both Singapore and Australia (or other jurisdictions with comparable regimes), develop a harmonised compliance approach and common contractual provisions that satisfy multiple regimes reducing complexity and cost.

Snapshot of the MAS, APRA and OJK frameworks 

Feature MAS Proposed Guidelines  APRA CPS 230 OJK Framework
Scope All third-party arrangements of FIs regulated under Singapore's Financial Services and Markets Act 2022 (not just traditional outsourcing) All service provider arrangements of APRA-regulated entities (banks, insurers and superannuation fund trustees) Outsourcing and engagement of third parties in IT implementation by banks and other FIs are subject to various OJK regulations
Materiality framework Principles-based assessment considering factors such as impact on earnings and liquidity, reputation and brand value, customers, counterparties, and the Singapore financial market  Two-part test: does the entity rely on the provider for a critical operation, or does the provider expose it to material operational risk?  Certain service categories are automatically deemed material unless the entity can justify otherwise

Outsourcing covers both delegation of work to a third party and supply of manpower by a third party. Only supporting activities (non-core functions) can be outsourced

IT implementation includes operation of core applications and placements of data centres and disaster recovery centres

Register requirement FIs must submit a register of their third-party arrangements to MAS twice a year and upon request (covering at minimum all material arrangements, including material sub-contractors where possible) Regulated entities must submit a register of material service providers to APRA annually No express requirement to maintain a register, but plans to engage the relevant third parties must be submitted to OJK
Prescribed contractual terms Yes – contracts for material third-party arrangements must address matters such as information and audit rights, termination rights, key performance benchmarks, conditions governing material sub-contractors (if the specified matters are not addressed, the FI must assess and document how the relevant risk is mitigated) Yes – formal agreements must include prescribed minimum content covering service levels, rights and responsibilities, sub-contractor notification, liability allocation, force majeure, termination and regulator access Yes – agreements must include minimum terms such as rights and obligations, reporting requirements, customer confidentiality, service levels, termination rights, and regulator access
Regulator access rights In the event of adverse developments, FIs must notify MAS as soon as possible, and inform the service provider to cooperate with MAS by providing comprehensive and timely information  Contracts must give APRA access to relevant documents and data, the right to conduct on-site visits, and an undertaking from the provider not to obstruct APRA Service providers must provide audit rights to OJK and/or other authorities if required
Sub-contractor / fourth party oversight FIs should have the ability to monitor and control the risks arising from their arrangements even when service providers use sub-contractors, and should take reasonable steps to hold material sub-contractors to similar standards as the primary service provider Service providers must notify the entity of material sub-contractors; the service provider remains liable for any sub-contractor failures Prior approval of the FI will be required for any subcontracting
Exemptions Government technology services, financial market infrastructures (e.g. clearing houses), utilities (e.g. telecoms), and non-financial services where the provider has no access to confidential information APRA may grant entity-specific adjustments or exclusions; for foreign banks, certain insurers and foreign life insurers, only Australian branch operations are in scope  

A more detailed overview of the MAS proposed guidelines on third-party risk management 

The proposed Guidelines on Third-Party Risk Management (Guidelines) are attached to the consultation paper.

In light of the increase in FIs’ reliance on third-party services and their evolving use of third-party services beyond outsourcing, MAS considers it necessary to strengthen FIs' oversight of third-party arrangements by:

Application

The Guidelines are intended to apply to FIs as defined in Section 2 of the Financial Services and Markets Act 2022, other than authorised reinsurers and approved marine, aviation and transit insurers.

Annex 3 of the Guidelines sets out services that are exempt, including:

  • services wholly provided by the Government Technology Agency or its agents (see list);
  • financial markets infrastructure (such as clearing houses and trade repositories) and utilities (such as telecommunications and electricity service providers);
  • services that are not for the conduct of any financial business of the FI and where the service provider does not receive, handle or have access to the FI's confidential information or customer information (such as cleaning and gardening services).

Nonetheless, FIs should still have appropriate business continuity measures and incident response plans in place to address the risks arising from its use of the above exempt services (such as service disruption or compromise of confidential information).
 

Existing guidance

The Guidelines are intended to supersede the following: 

However, MAS notes that the following notices will remain in effect and continue to set baseline requirements for banks and merchant banks in their management of outsourcing arrangements (they should comply with these notices as well as the proposed Guidelines):

Six-month transitional period

MAS proposes that the Guidelines take effect 6 months from the date of issuance to allow time for relevant FIs to make necessary preparations, such as enhancing policies and procedures and updating third-party service agreements.

Pending the issue of the Guidelines, MAS expects relevant FIs to manage the operational, technology and cyber risks associated with their third-party arrangements.  This includes, for example, renewing risk evaluations in response to significant changes or incidents that affect the service provider's risk posture.  FIs must also establish robust business continuity measures and effective incident response mechanisms to minimise service disruptions arising from service provider-related incidents.

Other key elements proposed

Proportionate implementation

The extent and degree to which an FI implements the expectations in the Guidelines should be commensurate with the size and complexity of the FI and the nature of the risks in (and materiality of) the third-party services used.  Annex 1 to the Guidelines provides guidance on assessing whether a third-party arrangement would be considered material.

Oversight of branch/subsidiary by FI

An FI with a branch or subsidiary under it, and which:

  • is subject to consolidated supervision by MAS (including locally-incorporated FIs from the banking and insurance sectors); or
  • is an owner of critical information infrastructure (as defined in the Cybersecurity Act 2018), 

is expected to consider the impact of third-party services used by its branch and/or subsidiary (including those located outside Singapore) on its consolidated operations.  

Such FI is expected to:

  • ensure that the proposed guidelines are observed by its branches/subsidiaries;
  • have in place clear structures and processes by which its board and senior management discharge their roles in the oversight and management of third-party risks on it and its branches/subsidiaries;
  • notify MAS of adverse developments in the use of third-party services encountered by its branches/subsidiaries.

Record and register of third-party arrangements

An FI should consider maintaining an up-to-date record of its third-party arrangements in order to identify and monitor changes in the risk materiality of such arrangements, understand its concentration risk, and map dependencies and interconnections relating to material arrangements, where possible.

An FI will be required to submit a register of third-party arrangements to MAS (using the draft template set out in Annex B of the consultation paper) semi-annually and upon request.  The register should at least include all of the FI's material third-party arrangements (including material sub-contractors, where possible).  

Banks and merchant banks (to which MAS Notices 658 and 1121 will continue to apply) will only need to submit one register (in the proposed format under Annex B of the consultation paper) covering the third-party arrangements in scope.

Governance, risk management and strategy

While an FI may delegate day-to-day operational duties to the service provider, the responsibilities for maintaining effective oversight and governance of third-party arrangements, managing the associated risks and implementing a sound risk management framework, continue to rest with the FI, its board and senior management.

The Guidelines set out the responsibilities of an FI's board and senior management, including (among others) ensuring that there are adequate processes to provide a comprehensive view of the FI’s risk exposure from third-party services, and incorporating the assessment and mitigation of such risks into the FI’s risk management framework.

The Guidelines also state MAS' expectations regarding a third-party risk management strategy which aligns with the FI's overall risk appetite (including operational risk and technology risk), and sets out the areas which such strategy should cover.

Third-party arrangement life cycle

The Guidelines set out expectations regarding five stages of a third-party arrangement’s life cycle: 

  • Stage 1: Risk assessment – FIs should identify and assess the types and levels of risks (both financial and non-financial) and the materiality of potential services provided through a third-party arrangement.  Risk assessments should be performed when (i) planning to enter into a third-party arrangement with an existing or new service provider, (ii) when there are major changes impacting an existing arrangement, and (iii) as part of periodic internal control reviews.
  • Stage 2: Due diligence – Various areas should be considered when an FI performs due diligence on a service provider, such as financial and business viability, ability to deliver service in line with the expected service level, and governance and risk management.  Guidance on measures to take to monitor and manage concentration risks has also been included.   Banks and merchant banks will continue to be subject to the requirements regarding the frequency of due diligence in respect of material ongoing outsourced relevant services under MAS Notices 658 and 1121.
  • Stage 3: Contracting – Agreements for material third-party arrangements should address specified matters, such as information and audit rights, obligations and responsibilities of the service provider relating to business continuity management and disaster recovery, key performance benchmarks, conditions governing material sub-contractors, and the right to terminate the service provider agreement upon specified events, for example, where there has been a demonstrable deterioration in the ability of the service provider to safeguard the confidentiality or integrity of customer information.  Where the specified matters are not addressed in the agreement, the FI should assess and document how the relevant risk is mitigated.
  • Stage 4: Onboarding and ongoing monitoring – The Guidelines set out MAS’ expectations regarding ongoing due diligence and monitoring of third-party arrangements, as well as independent audits or expert assessments of material third-party arrangements.  Banks and merchant banks will continue to be subject to the requirements regarding the audit frequency of material ongoing outsourced relevant services under MAS Notices 658 and 1121.
  • Stage 5: Termination – MAS proposes that an FI should maintain exit plans to cater for different plausible termination scenarios and sets out its expectations on the areas that should be provided in such plans.  It also sets out the scenarios under which an FI should consider whether to terminate the service provider agreement, and the circumstances under which MAS may direct an FI to terminate.

 Use of sub-contractors

An FI should have the ability to monitor and control the risks arising from its arrangements even when a service provider uses a sub-contractor.  FIs will need to include material sub-contractors, to the extent possible and practicable, in their record of third-party arrangements.  For material third-party arrangements, an FI should take reasonable steps, on a risk proportionate and best efforts basis, to ensure that material sub-contractors are held to similar standards as service providers.

While MAS does not prohibit FIs from arrangements involving pass through sub-contracting (where an FI's service provider sub-contracts all or the bulk of the services), MAS expects the FI to assess the risks involved, put in place mitigating measures, and ensure effective oversight.

Adverse developments

When an FI is notified by the service provider of an adverse development, MAS expects the FI to inform the service provider to cooperate with MAS by providing comprehensive and timely information relating to the services provided.  Where the level of cooperation from the service provider is lacking, MAS will consider further action, and in egregious cases, request the FI to terminate or not renew their arrangements with the service provider.

Experience from APRA's CPS 230

CPS 230 applies to all APRA-regulated entities, including authorised deposit-taking institutions (ADIs), general insurers, life companies, private health insurers and registrable superannuation entity licensees. Like the proposed Guidelines, CPS 230 moves beyond traditional outsourcing to impose requirements on all material service provider arrangements, regardless of whether the arrangement constitutes outsourcing in the conventional sense.

Identification of material service providers

Under CPS 230, APRA-regulated entities must identify and maintain a register of their material service providers (MSPs). MSPs are defined as those on which the entity relies to undertake a "critical operation" or that expose it to "material operational risk". CPS 230 prescribes minimum categories of services that must be classified as giving rise to MSP status (unless the entity can justify otherwise), including credit assessment, funding and liquidity management, and mortgage brokerage (for ADIs), and risk management, core technology services and internal audit (for all APRA-regulated entities). This is broadly analogous to the materiality assessment framework proposed by MAS under Annex 1 to the Guidelines, although the MAS framework adopts a more principles-based approach to materiality rather than prescribing deemed categories.

Contractual requirements

CPS 230 imposes prescriptive minimum content requirements for formal agreements with MSPs. These include requirements to specify services and service levels, set out rights and responsibilities (including data ownership, dispute resolution, audit access, liability and indemnity), include provisions ensuring the entity can meet its legal and compliance obligations, require notification of material sub-contractors, allocate liability for sub-contractor failures to the service provider, include force majeure provisions, and provide for termination rights. 

The formal agreement must also include provisions granting APRA access to documentation and data, the right to conduct on-site visits, and an undertaking by the service provider not to impede APRA in fulfilling its regulatory duties. 

These requirements closely align with the contracting expectations set out in the MAS Guidelines, particularly regarding audit and access rights, sub-contractor oversight, and termination provisions.

Practical issues and lessons from the Australian experience

The implementation of CPS 230 in Australia has given rise to a number of practical challenges that are likely to be relevant for FIs and service providers in Singapore as they prepare for the implementation of the MAS Guidelines. Key observations include:

  • Classification disputes – Under CPS 230, the obligation to identify MSPs rests with the APRA-regulated entity, and service providers have no formal right of challenge. In practice, service providers (particularly data and technology providers) have sought to engage with their customers to understand and, where appropriate, push back on MSP classifications. Key questions include whether the service provider is truly providing a "critical operation" or merely one input into a broader process, and whether the entity's reliance on the service is genuinely "material" having regard to the availability of alternative providers. Similar dynamics are likely to arise under the MAS framework, and both service providers and FIs should consider developing a structured approach to engaging with each other on materiality assessments.
  • Contract renegotiation – Where a service provider is classified as material, the prescriptive contractual requirements under CPS 230 (and, similarly, under the proposed MAS guidelines) often necessitate amendments to existing agreements. In Australia, this has required service providers to accept new obligations regarding sub-contractor notification, liability allocation for sub-contractor failures, force majeure carve-outs, and regulator access rights. Service providers have sought to manage their exposure by negotiating appropriate limitations on these obligations (for example, limiting sub-contractor notification to material sub-contractors, capping liability, and ensuring that regulator access rights are subject to reasonable confidentiality protections). FIs and service providers in Singapore should anticipate similar renegotiation dynamics and factor sufficient lead time into their transition planning and repapering processes.
  • Regulator access provisions – A particularly contentious area in CPS 230 negotiations has been the requirement for service providers to grant APRA access to documentation and data, permit on-site visits, and agree not to impede APRA in fulfilling its regulatory duties. These are standing contractual obligations that must be embedded in every formal agreement with an MSP. By contrast, the proposed MAS guidelines frame regulator access as an incident-triggered expectation: when an FI is notified of an adverse development, it must inform the service provider to cooperate with MAS by providing comprehensive and timely information. While the MAS approach is less prescriptive, global service providers should nonetheless consider how to structure access provisions in a manner that satisfies both regimes while managing operational and legal risks, particularly where confidentiality obligations owed to other clients or data protection requirements in other jurisdictions may be triggered.
  • Sub-contractor and fourth party risk – Both CPS 230 and the proposed MAS guidelines require visibility over material sub-contractors (referred to as "fourth parties" under CPS 230). In practice, service providers have resisted blanket obligations to notify customers of all sub-contracting arrangements, and negotiations have focused on defining appropriate materiality thresholds and the scope of liability for sub-contractor failures. Service providers should consider their sub-contracting arrangements and develop a clear position on the extent of disclosure and liability they are willing to accept. At the same time, FIs should be thinking about the level of risk they are willing to bear.
  • Transition timelines – CPS 230 provides that pre-existing contractual arrangements must comply with the new requirements by the earlier of the next contract renewal date or 1 July 2026. This has created a compressed timeline for renegotiation of existing agreements, particularly where service providers have large numbers of APRA-regulated customers. MAS' proposed six-month transition period is not tied to the contract renewal date, but FIs should nonetheless prioritise the identification of material third-party arrangements and commence engagement with service providers at the earliest opportunity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More